HOWTO rescue deleted Linux files | undelete | unremove | unrm | rm -v

Here's how we rescued a LaTeX *.tex file that was
accidentally removed on a Linux box.

Stop doing anything else on the system. The idea is to
use the disk as little as possible. (We stopped short of
killing idle daemons, because we didn't want them scribbling
stuff in log files. )

Know the first few bytes of the file you want. Hopefully
they are fairly unique. The LaTeX document we wanted
began with the characters "\document", so we used that pattern.

Write a program that will read each sector from
the raw partition (you must be root) (assuming 512 byte
sectors is safest) and see if it begins with the pattern.
If not, it loops and reads the next 512 bytes...
If it finds it, it saves that sector and
some fixed amount of following sectors (we did 600 more
sectors, which is 300 KBytes) in a rescue file.
Save probably twice as long
a file as you think you're looking for. Save them to
an extra partition -- or invoke "scp" or something to save
them on another machine. (Usually ext2 & ext3 store
files contiguously on disk -- especially if they are not
too big & are written all at once.)

The following TCL script did the job. Make it open the
exact partition you want to scan. It needs another partition
to write the rescue files to.

Use "less" to examine the rescue files to see if you can find
your data. Also the "strings" command is very good about
extracting ASCII text portions.

Even better, if you have physical access to the machine,
shut down the system IMMEDIATELY and physically
install its disk as an extra drive in another unix box.
Do your scanning of the raw disk from there. (In our
recent case, we didn't have access to this box.)
Or boot a KNOPPIX CD (which will not write to any partitions
unless you specifically mount them writeable from a root shell.)

I've also used this kind of technique to rescue JPEG files
from a digital camera's Compact Flash with a corrupted FAT
file system. We wrote a program that started a new rescue
file every time it found "JFIF" as the first 4 bytes
of a sector, even if it was still saving the previous
rescue file. We completely rescued about 3/4 of the
images this way,
and fragments of more.

Obviously the data you are rescuing must be important
enough to warrent this much trouble with no guarentee
of successfull results.

Your file could always have been overwritten, or it could
be fragmented so you don't find the pieces. But the couple
of times I've had to do this (for someone else's data!)
we've had pretty good success.